CISCO and kerberos
Nikolay Shopik
shopik at inblock.ru
Tue Sep 1 09:41:03 EDT 2009
On 01.09.2009 14:55, Nikos Nikoleris wrote:
> jarek wrote:
>> Hi all!
>>
>> I'd like to configure CISCO Catalyst to use kerberos against AD server
>> W2008. I'd like to login to cisco using ticket and telnet.krb5 from
>> krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm
>> getting:
>>
>> [ Kerberos V5 refuses authentication ]
>> kerberos_server_auth: Couldn't authenticate client from
>> test-nms.test.local.
>>
>> What can be wrong ?
>>
>> Has someone working example of CISCO config for such scenario ?
>>
>> J.
>
> Hi Jarek,
>
> A cisco working here with kerberos authentication but the kdc is heidmal
> kerberos. Some suggestions are:
> * Timing issues, you have to make sure both the kdc and the cisco are
> sync'd... (That's very important)
> * Try uploading the keytab using only the DES-CBC-CRC enc of the cisco
> principal...
> * Your cisco should have a configuration like:
> aaa new-model
> aaa authentication login default krb5-telnet krb5 local enable
> aaa authorization exec default krb5-instance
> kerberos local-realm YOUR.REALM
> kerberos srvtab entry host/FQDN.OF.YOUR.SWITCH at YOUR.REALM (there should
> be some numbers here as well)
> kerberos clients mandatory
> kerberos server YOUR.REALM $(IP of your KDC)
> kerberos instance map admin 15 # this will map kerberos users */admin to
> the superuser of cisco
> kerberos credentials forward # that's optinal
>
> # I strongly suggest this as well adjusted to your case
> ntp server your.ntp.server
> clock timezone GMT -6
> clock summer-time CDT recurring
>
> -- Nikos
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Hi Nikos,
If I'm not mistaken they don't yet support kerberos for SSH aren't they?
More information about the Kerberos
mailing list